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Security Challenges in the Cloud 


Lack of visibility or control on cloud resources 
Misconfiguration of cloud services 
Multi cloud environment magnifies security challenges 


Lack of a unified security toolset/controls for on-prem & cloud workloads 
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Cloud Security 


Cloud Workload Security with Qualys 


aws 
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Google Cloud Platform 


Vulnerability Management 

* Vulnerability Management 
(Internal & Perimeter) 

* Threat Protection 

* Indicators of Compromise 

* Patch Management 


Policy Compliance 


* Policy Compliance (incl. Secure 
Configuration Assessment) 


* File Integrity Monitoring 


Application Security 

* Web Application Scanning 
(WebApps and REST APIs) 

* Web Application Firewall 

* API Security* 
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Rich Visibility with CloudView 
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Visibility into your cloud resources "T. 


i ic faci rimeter resour ~~ = 
Identify public facing/perimeter resources — Am Fen Ax 
— A» ar M _ 


Resource usage by regions/accounts. 

o : . o . 1 Ut 521 1 
View associations to identify the blast m m B = 
radius 


[RIBUTI S 
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Compliance Assessment 


Identify misconfigured resources 


Detect resources that are non- 
compliant against standards such 
as CIS Benchmark 


Identify top failed controls/account 
for prioritizing the remediation 
efforts 
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CloudView DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION : 


AWS FAILURES BY CONTROL CRITICALITY AZURE FAILURES BY CONTROL CRITICALITY GCP FAILURES BY CONTROL CRITICALITY 
1195 20 624 
B 5427 8 a y a 268 É 
a 22 a 76 a 3: 
m 183 U 2 " 26 ( 
AWS CIS COVERAGE AWS CCM COMPLIANCE AWS TOP 5 FAILED CONTROLS 
Eneure LAM policies are attached only ta groups ce — |53K 
r= 
Engure access key! it rotated every 90 days or les 153K 
31% 41% = 
Eneure access keys unused for 90 days or gremters 1,46K 
ca 
Ensure no sacurty groupe allow ingress trom 103 
= 
AZURE TOP 5 FAILED CONTROLS GCP TOP 5 FAILED CONTROLS 
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Correlate with Vulnerability Data 


@ Quqlys. Enterprise 


Identify vulnerable instances Aeg —— — 


with public IP and associated eere ^ 


POLICY REPORTS 


CONFIGURATION 


Last24Hrs v 


with the misconfigured security 
groups pe 


Without Agents 
N. Virginia 16 
eye . . London 7 
Use vulnerability information mn EE 
i-09877e1ab68105330 636123215182 
demo-aws-ue1-windows-2016-public-B 
for cloud instances to prioritize estesa eene 
demo-aws-ew2-windows-2016-public-C 
th t b tt i-0e8258f50a903cc4f 636123215182 
i-Ode3c0e9cc738bcf0 636123215182 
demo-aws-ue1-ubuntu-16-public-B-2 
i-08ad24b40b2eaf29a 636123215182 
(2-windows-2019-public-C 
i-Oab2ff3ca465eef42 636123215182 
demo-aws-ue1-centos-7-private-B 
i-06f41ddd375f62144 636123215182 
demo-aws-mumbai-windows-2016-publi 
i-Oafd7b51095e0db68 636123215182 


demo-aws-ue1-windows-2008-public-B 
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With Public IP 


N.Virginia 


London 


London 


N. Virginia 


London 


N. Virginia 


Mumbai 


N. Virginia 


t2 medium 


t2 medium 


t2 medium 


t2 micro 


t2 medium 


t2 medium 


t2 medium 


t2 medium 
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Docker Hosts 
1-28 of 28 
Running October 13, 2019 4:46 = 
AM 
Running October 12, 2019 8:44 


Running 


Running 


Running 


Running 


Running 


Running 


PM 


October 12,2019 8:44 
PM 


September 19, 2019 
102 AM 


August 27, 2019 7:48 
PM 


August 27, 2019 7:48 
PM 


August 26, 2019 7:41 
AM 


August 24, 2019 7:31 
PM 
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Serverless V 


Serverless Visibility - 


Inventory support for 
AWS Lambda functions 


Best practices policy for 
identifying 
misconfigurations 


isibility 


@ Qualys. Express 


CloudView + DASHBOARD 


RESOURCES MONITOR POLICY 


Amazon Web Services + 


REPORTS 


NEW 


CONFIGURATION 


X resource.type: "Lambda Function” 


Last 24 Hrs 
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Total Lambda Functions @ Qualys. 
CloudView + DASHBOARD RESOURCES MONITOR POLICY REPORTS 
a Amazon Web Services 
ciet riy M” X poliícy.naee:"AWS Lambda Best Practices Policy” 
Ohio 7 fu Kuwa. " - = 
Mumbai 2 1 1 EVALUATIONS. SECURITY POSTURE 
Ireland 1 AB-My-Vulnerable-Lambda-Funct š 
B = Total Controls Evaluate 1 .61 K 948 667 497 
Total Evaluations Pass Foil High 
AB-TestFuncForVuln-1 
hilo CONTROL RESULT 
IL RESUL 
ras V) TAIL 1e 
python3.7 4 lambda_pass_vpc_nkumar 38303 ass x ! 
[avaB 3 ” Ensure that Lambda functlon has tracing enabled ace 
nodejs8.10 3 ACCOUNT Policy : AWS Lambda Best Practices Policy 
i: RDS Instance Stop 38303 
python2.7 3 quslys-sa[45772. u 9» Ensure that Lambda Function is not using An IAM role for more than one La. WEER 
+ 3more were dd Policy: AWS Lambda Dest Practices Policy 
Krishna 38303 CONTROL CRITICALITY 90 Ensure that Multiple Triggers are not configured in Lambda Function = 
TRACING d i Prey: Lao Dada Préc P) 
PassThrough MEDIUM 2 
2 HelloWorld2 38303 Low 3 100 Ensure that Lambda Runtime Version is latest and not custom ron d 
oe Policy . AWS Lambda Best Practices Policy 
10m Ensure that Lambda function does not have Admin Privileges w 
Policy AWS Lambda Best Practices Policy 
102 Ensure that Lambda function does not have Cross Account Access = 


Bei A Bet A Balimu 
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CONFIGURATION 


FAILURES BY CRITICALITY 


pes 


Lambda Fun 
Lambda Fun 
Lambda Kun 
Lambda Fun 
Lambda Fun 


Lambda Fun 


NEW 


Built-in Security with Cloud Providers 


Send findings into Azure, AWS, GCP E E TOR NR RIA a 
Security Hubs 


Access & investigate findings from within 
the Cloud Provider Security console 


Docker FollowSymlinkInScope Function Race Condi.. i 


CentOS Security Update for binutils (CESA-2019:20... 
CentOS Security Update for curl (CESA-2019:1880) CentOS 
CentOS Security Update for bind (CESA-20192057) — CentOS 


Native integration of vulnerability — 
assessment of hosts, containers meter AL. cn 


CentOS Security Update for curl (CESA-20192181) CentOS 


CentOS Security Update for procps-ng (CESA-2019:.. CentOS 


(MSFT Azure - Powered by Qualys) 


Native Azure Host, Container Scanning (Powered by Qualys) 
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Container 


Security 


NEW 


Visibility into Container Infrastructure 


Inventory for all your container engen 
infrastructure (Included with VMDR) laa —— 


Visibility into containers via Scanner, = 
Cloud Agent, Container Sensor — = 


Tracking DockerHub official images = 


Upgrade for security across DevOps 
pipeline 
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Correlating with Vulnerability Data 


Container Security DASHBOARD ASSETS EVENTS CONFIGURATIONS India Naccount (quays_nn) 


Assets Containers 


Search 
based on all 
attributes 68 


vulnerabilities.severity:"Severity 5" and repo.registry:"docker.io" 


1-500f 68 
Total Images 
docker.io elasticsearch Feb 06, 2018 [^ Ü 2 
Image Id: 7b3c18d81363 On Hosts: 1 wF 
° 
LABELS docker.lo redis Feb 06, 2018 J istest 1 3 Image info 
NGINX Docker M. 3 Image Id: de560ba5403e On Hosts: 1  — H H 
Http-//Www.Stind 1 * Registry info 
GPLv2 1 docker.lo kibana Feb 06, 2018 J ses 0 3 y 
/Dockerfile 1 Image Id: 9ef680b9e227 On Hosts: 1 (00 m - Q Co nta I ne rs 
Git 1 P 
CentOS Base Ima 1 docker.lo node Feb 01, 2018 [test 0 3 fo rt h IS 
Opsxcq@Strm.Sh 1 B $ 
Bad-Dockerfile 1 I mage 
CentOS 1 docker.lo httpd Jan 26, 2018 [aen 1 3 
Reference Docke... 1 On Host 4 ° Vulnerability 
Https://Github.C. 1 
Show lesa : posture? 

Image Id: e25e005ebec1 On Hosts: 1 o mm 
REGISTRY = = ide Te 0 14 ° Easy drill 
Docker.io 68 Image Id: Oee0d104030e On Hosts; 2 m: 
Art-Ha.Intranet.Q. 1 down for 

docker.io tomcat Jan 18, 2018 J tores 0 13 

VULNERABILITIES Image Id: 66bbedü6cBcd On Hosts: 1 =] complete 
Severity 5 a += RE done Jim 0 10 inventory 
Seventy A $5 Image Id: 6ded4c70c32d On Hosts: 1 
Severity 3 59 
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Detecting Runtime Drift 


Container Security HOME DASHBOARD ASSETS CONFIGURATIONS 20 


Assets Hosts “Images Registries 


Q Search for containers... 


18 89 0 153049 


Identify potential breaches in 
containers 


422 


Total Containers 


Root Containers Privileged Containers Containers detected without CS Sensor Containers in Drift 
[13 H 33 H H H 
Drift" Containers, differ from their 
VULNERABILITIES 1-50 of 422 parent Images by vulnerability, 
Severity 5 110 
Seventy 4 133 software package composition, 
Severity 3 197 š 
Severny 2 173 käs_kube-proxy_kube-…  Nov01,2019 — - - 15hoursago 23 behavior, etc 
Å= 
STATE k8s_kube-proxy_kube-... Nov 01,2019 - - 15 hours ago 23 
RUNNING 169 ame. 
DELETED 60 
STOPPED 2 k8s omsagent omsage... Nov 01,2019 - - 15 hours ago 2 
CREATED 15 = 
k8s_kube-proxy_kube-... Nov 01, 2019 - - 15 hours ago 23 
DRIFT == 
Vulnerability 153 
Sine 1 k8s_omsagent_omsage... Nov 01, 2019 - - 15 hours ago 2 
m 
PRIVILEGED k8s_omsagent_omsage... Nov 01,2019 = = 15 hours ago 2 
false 200 m 
true 89 
k8s_omsagent_omsage... Nov 01,2019 - - 15 hours ago 2 
ROOT 
true 18 k8s_tunnel-front_tunne... Nov 01, 2019 = = 15 hours ago 7 
usa 
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Detection, Response for Containers 


Qualys layer for 
Container Runtime 
Security 


Breach 


Indicators of 
Compromise 
(e.g. File, Network 
Activity etc) 
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NEW 


Container Runtime Security 


Integrated into Qualys Platform 


@ 
@sulequop 


(8) 2urejuoo 
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Function level firewall for containers 


: nn: Docker Engine 
Granular security policies to control 
OS 


file, network, process behavior 


her by: Al of 63 
. . . . Summary 
Built-in policies from Qualys Threat — 
Behavior log /sbin/init 1 3 /b/xBé &4-inux.gnu/libeel Allowed - November 5, 2019 
Runtime Analytics 04 26 26AM. 
Research semanas us TE DE = es 
0426 26AM 
Behavior log /sbinnat Aibyxg6_64-inux-gna/libbikic Bowed | November 5, 
Services/Users SALAM 
Inatoa Software: Behavior log /sbin/init lib/xB& 64-linux-gnu/tibbli | Alowed November $. 2t 
Associations 04726 IAM 
Vulnerabilities Behavior log fsbin/init (96. 64-linux-gnu/libcap. Roms November 5, 2 
04 26 AM 
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Towards Automated Remediation 


(9 Qualys. 


Towards Seamless Visibility 


Global IT Asset Inventory 


Across application stack (Hosts, 
Kubernetes Pods, Containers, 


Serverless) 
Correlate cloud inventory data = = = 
with containers = = = 


TOP SOFTWARE PUBLISHERS 


O I lia 
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Securing Your Cloud Deployments 


laaS PaaS SaaS 


EC2 Instance, Azure RDS, Azure SQL Google Suite, Office 365 
VM, GCP Instance Database, Elastic Bean 


O c c O Stalk, Containers SaaS Security (Aadya) 


IOC 


Cloud Infrastructure 


S3 Bucket, Security Group, Network Security Group, 
Storage Blobs, Load Balancers, Firewall Rules 


ow / A Azure e C J Alibaba Cloud ORACLE 


CLOUD SOFT ANR 
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Thank You 


Badri Raghunathan 
braghunathan@qualys.com 


